The binary read from stdin using __getlimit function, and the unique limiter is ‘\n’.

C

1

v3=__getdelim(&lineptr,&n,10,stdin);

The __printf_chk function is used for printing in stdout and checking if the input has a string like: “%N$”, that means I can’t use a direct access as the format string, but we have a memory leak in the format string vulnerability.

How exploit this binary? Buffer overflow stack based is the answer. The next steps need to be followed:

Exploit the format string vulnerability and leak any libc address and calculate the libc base.

Leak the canary.

Using the libc base, calculate system function and ‘/bin/sh’ string virtual address.

Make the system funcion argument, register rdi must contain the ‘/bin/sh’ virtual address.

Overwrite in the correct offset the original canary.
Make the ROP.

Additionally, the remote service have a previous challenge (x change in each connection).

Opening connection to time-is.quals.2017.volgactf.ru on port 45678: Done
Solve a puzzle: find an x such that 26 last bits of SHA1(x) are set, len(x)==29 and x[:24]== ed6f7c92ad91d92e79fc9258

For solving the challenge about SHA-1, I used the following snippet:

1

2

3

4

5

6

7

8

9

10

11

x="0123456789abcdefghijklmnopqrstuvwxyz"

p=product(x,repeat=5)

#num is x[:24]

forninp:

f=str("".join(n))

final=num+f

number=hashlib.sha1(final).hexdigest()

if(int(number,16)&0x3FFFFFF)==0x3FFFFFF:

print"[+] Plain text found %s"%final

break

s.sendline(final)

In my tests, the libc version is same as mine.

Shell

1

2

3

Architecture:amd64

Source:glibc

Version:2.23-0ubuntu7

Now I’ll make the exploit, first get the libc base, system function and ‘/bin/sh’ virtual address.